FluxBB 1.5.10 released

Franz · 2016-06-16 12:50:21

I am pleased to announce the eleventh release in the 1.5 cycle: v1.5.10 is here.

This release fixes a security vulnerability as well as several bugs, and also contains several small improvements.

The vulnerability, kindly disclosed by Kacper Szurek, allowed skilled attackers to inject malicious JavaScript into the page that is shown when administrators try to view information about a user's IP address.

In addition, this release contains some minor improvements in the area of CSS and usability, and fixes several smaller bugs. For more details, please view the full changelog.

Please update your forums as soon as possible.

We also recommend subscribing to the security mailing list in your site's user profile. That way, you will get notified of new security-relevant releases immediately.

As always, download packages can be found on our download page.
Changed files and patches are available on the upgrade page. Please remember to make a backup of your files as well as the database before upgrading your forum!

A big thank you to all contributors, and again a hat-tip to Kacper Szurek for the detailed and responsible disclosure of security information!

Last edited by Franz (2016-06-17 11:53:10)

wimc · 2016-06-16 13:45:55

Got it, easy and successful upgrade at that.

Made changes throughout the my forum, easily change it back with new version. Just made forum2 for 1.5.10 and added the config.php file over, ran db_update.php file. Way I did it, fine with it.

ehtime · 2016-06-16 13:59:07

Great!

walterfenley · 2016-06-16 15:43:25

Hi there,
i am going to use this forum software for my upcoming forum but, i have some question if anyone can help, i will be very thankful to him.
1)I want to Make user register and login only through twitter And only those users can post on the forum which are register through twitter.
2) if someone posts on the forum that should be automatically posted on the twitter page of that person and if some one reply to that post on the forum that should also be added to the twitter page of that person.
.Thread-starter can write a link like "google.com" and then the webpage screen frame of "google.com" will appear inside the thread.

Last edited by walterfenley (2016-06-16 22:48:22)

chris98 · 2016-06-16 17:02:08

Are the tickets which contain the security vulnerabilities public? I can't see them in the changelog you linked to.

Franz · 2016-06-16 20:51:06

chris98 wrote:

Are the tickets which contain the security vulnerabilities public? I can't see them in the changelog you linked to.

Nope. The issue was reported by email.

chris98 · 2016-06-17 07:56:05

Oh, ok.

I just tried to use the upgrade page to see which files had been upgraded, and when you select to upgrade from 1.5.9 to 1.5.10, it says that 1.5.9 is the latest version.

Franz · 2016-06-17 11:52:43

chris98 wrote:

I just tried to use the upgrade page to see which files had been upgraded, and when you select to upgrade from 1.5.9 to 1.5.10, it says that 1.5.9 is the latest version.

Oh, thanks for catching that, too. Turns out you shouldn't sort version numbers alphabetically when trying to determine the latest version. Not the first time this happened...

Works now.

---

For everyone:

I recommend subscribing to the security mailing list in your site's user profile. That way, you will get notified of new security-relevant releases immediately.

chris98 · 2016-06-17 12:01:51

No problem, thanks for fixing it, looks like it's been a fairly good bug-fixing release. If I were to suggest one improvement though, it would be to have a dedicated page to unsubscribe which is linked to from the subscription email.

Once you're on the page, the token is filled into the form and you click the "unsubscribe" button. This is how phpBB handles it, anyway.

I did happen to notice one more problem though on the site, when viewing the changelog, 1.5.10 is down next to 1.5.1 - guess you also listed them alphabetically there too.

Visman · 2016-06-17 12:44:30

https://fluxbb.org/download/releases/1. … 1.5.9.html
bad change in login.php

Franz · 2016-06-17 12:58:33

@Visman: No, it's a good change. Unfortunately, it had Windows line endings before, we fixed that now.

P.S.: If you want to see the changes without whitespace changes, use this link: https://github.com/fluxbb/fluxbb/compar … b3cb66db98

Last edited by Franz (2016-06-17 13:00:13)

Visman · 2016-06-17 13:28:28

Visman wrote:

https://fluxbb.org/download/releases/1. … 1.5.9.html
bad change in login.php

empty change for login.php

Blueeyez · 2016-06-17 17:36:44

Just upgradede https://kviksupport.dk from 1.5.9 to 1.5.10 with no problems

Last edited by Blueeyez (2016-06-17 17:37:27)

cyberman · 2016-06-17 20:40:19

Is there anything I should/can do for 1.4 series, or it's only 1.5 related?

Visman · 2016-06-18 04:23:08

1.4 long dead.

cyberman · 2016-06-18 09:47:21

Visman wrote:

1.4 long dead.

Have I missed the official statement for that?

Last security update comes out october 2014...

Visman · 2016-06-18 11:39:37

last version 1.4.x -> 1.4.10 completed 2013-04-22.
3 years as a dead

cyberman · 2016-06-18 13:17:12

1.4.x does what I want, has some (a lot) useful mods inside.

And there are some features inside 1.5 I dont want/need .

You know - never change a running system.

Franz · 2016-06-18 13:43:28

@cyberman: Just apply this commit, that fixes the vulnerability.

Gary · 2016-06-19 00:44:41

Well done Franz. So good to see another release.

Studio384 · 2016-06-20 12:03:12

Visman wrote:

last version 1.4.x -> 1.4.10 completed 2013-04-22.
3 years as a dead

1.4.13 is the latest release, and normally there should still be support for security related issues last time I checked.

Visman · 2016-06-20 12:23:06

https://fluxbb.org/development/core/roadmap/completed/
Where 1.4.13?

Franz · 2016-06-20 13:38:11

@Visman: It was announced here.

aceagenda · 2016-06-20 18:09:50

Neat upgrade! Many thanks!

cyberman · 2016-06-23 15:05:23

Franz wrote:

@cyberman: Just apply this commit, that fixes the vulnerability.

Thx!!!

Forums

#1 2016-06-16 12:50:21

FluxBB 1.5.10 released

#2 2016-06-16 13:45:55

Re: FluxBB 1.5.10 released

#3 2016-06-16 13:59:07

Re: FluxBB 1.5.10 released

#4 2016-06-16 15:43:25

Re: FluxBB 1.5.10 released

#5 2016-06-16 17:02:08

Re: FluxBB 1.5.10 released

#6 2016-06-16 20:51:06

Re: FluxBB 1.5.10 released

#7 2016-06-17 07:56:05

Re: FluxBB 1.5.10 released

#8 2016-06-17 11:52:43

Re: FluxBB 1.5.10 released

#9 2016-06-17 12:01:51

Re: FluxBB 1.5.10 released

#10 2016-06-17 12:44:30

Re: FluxBB 1.5.10 released

#11 2016-06-17 12:58:33

Re: FluxBB 1.5.10 released

#12 2016-06-17 13:28:28

Re: FluxBB 1.5.10 released

#13 2016-06-17 17:36:44

Re: FluxBB 1.5.10 released

#14 2016-06-17 20:40:19

Re: FluxBB 1.5.10 released

#15 2016-06-18 04:23:08

Re: FluxBB 1.5.10 released

#16 2016-06-18 09:47:21

Re: FluxBB 1.5.10 released

#17 2016-06-18 11:39:37

Re: FluxBB 1.5.10 released

#18 2016-06-18 13:17:12

Re: FluxBB 1.5.10 released

#19 2016-06-18 13:43:28

Re: FluxBB 1.5.10 released

#20 2016-06-19 00:44:41

Re: FluxBB 1.5.10 released

#21 2016-06-20 12:03:12

Re: FluxBB 1.5.10 released

#22 2016-06-20 12:23:06

Re: FluxBB 1.5.10 released

#23 2016-06-20 13:38:11

Re: FluxBB 1.5.10 released

#24 2016-06-20 18:09:50

Re: FluxBB 1.5.10 released

#25 2016-06-23 15:05:23

Re: FluxBB 1.5.10 released

Board footer